File name:

Mad-Installer.exe

Full analysis: https://app.any.run/tasks/431c0e27-a4d5-4f68-a835-cf060c1b8594
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 30, 2026, 16:26:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
loader
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 10 sections
MD5:

B6A989CA0E54D320516E476952805CD0

SHA1:

F2ACA808016392BEF6BBFDC9E71CD008A0D4B408

SHA256:

2EE90A1EA33CABB04324C4C81FBF5E10324555DAA15A5CE1CCA057C12E61B096

SSDEEP:

98304:Xs0/YbjLQLzPShX3y9+FX1Wq1nk3LwtiXNfwaMPnfYrAkzwfbEXm7qMMNxwosU33:A/q5ZKB2Us6Qo1NxqDEExSq735

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • MicrosoftEdgeWebview2Setup.exe (PID: 6728)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • MicrosoftEdgeUpdate.exe (PID: 8560)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8296)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8400)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8380)
      • MicrosoftEdgeUpdate.exe (PID: 7992)
      • MicrosoftEdge_X64_147.0.3912.86.exe (PID: 144)
      • MicrosoftEdgeUpdate.exe (PID: 8732)
      • MicrosoftEdgeUpdate.exe (PID: 8852)
      • setup.exe (PID: 4172)
      • MicrosoftEdgeUpdateCore.exe (PID: 7892)
      • MicrosoftEdgeUpdate.exe (PID: 7432)
      • MicrosoftEdgeUpdate.exe (PID: 7268)
      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 7688)
      • msedgewebview2.exe (PID: 8588)
      • msedgewebview2.exe (PID: 5916)
      • msedgewebview2.exe (PID: 8052)
      • msedgewebview2.exe (PID: 7936)
      • msedgewebview2.exe (PID: 8124)
      • msedgewebview2.exe (PID: 8436)
      • msedgewebview2.exe (PID: 3120)
      • msedgewebview2.exe (PID: 6140)
      • msedgewebview2.exe (PID: 6504)
      • msedgewebview2.exe (PID: 7404)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 8596)

    • Potential DLL hijacking behavior detected

      • msedgewebview2.exe (PID: 8052)
      • msedgewebview2.exe (PID: 3120)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 8124)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3380)
      • cmd.exe (PID: 2164)
      • cmd.exe (PID: 8348)
      • cmd.exe (PID: 8000)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2164)

    • Hides command output

      • cmd.exe (PID: 2164)

    • Executable content was dropped or overwritten

      • Mad-Installer.exe (PID: 3036)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6728)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • MicrosoftEdge_X64_147.0.3912.86.exe (PID: 144)
      • setup.exe (PID: 4172)

    • Reads the date of Windows installation

      • Mad-Installer.exe (PID: 3036)
      • Mad-Installer.exe (PID: 8724)
      • Mad-Installer.exe (PID: 4960)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 8596)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 8596)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8296)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8400)
      • MicrosoftEdgeUpdate.exe (PID: 8560)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8380)

    • Searches for installed software

      • setup.exe (PID: 4172)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 8852)
      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 8124)

  • INFO

    • Checks supported languages

      • Mad-Installer.exe (PID: 3036)
      • Madium.exe (PID: 5224)
      • identity_helper.exe (PID: 8268)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6728)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8400)
      • MicrosoftEdgeUpdate.exe (PID: 8560)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8296)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8380)
      • MicrosoftEdgeUpdate.exe (PID: 8732)
      • MicrosoftEdgeUpdate.exe (PID: 7992)
      • MicrosoftEdgeUpdate.exe (PID: 8852)
      • MicrosoftEdge_X64_147.0.3912.86.exe (PID: 144)
      • setup.exe (PID: 4172)
      • MicrosoftEdgeUpdateCore.exe (PID: 7892)
      • MicrosoftEdgeUpdate.exe (PID: 7268)
      • Mad-Installer.exe (PID: 8724)
      • Madium.exe (PID: 7792)
      • MicrosoftEdgeUpdate.exe (PID: 7432)
      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 7688)
      • msedgewebview2.exe (PID: 8588)
      • msedgewebview2.exe (PID: 8052)
      • msedgewebview2.exe (PID: 5916)
      • msedgewebview2.exe (PID: 7936)
      • Mad-Installer.exe (PID: 4960)
      • msedgewebview2.exe (PID: 8124)
      • Madium.exe (PID: 8792)
      • msedgewebview2.exe (PID: 8436)
      • msedgewebview2.exe (PID: 6504)
      • msedgewebview2.exe (PID: 3120)
      • msedgewebview2.exe (PID: 6140)
      • msedgewebview2.exe (PID: 7404)

    • Reads security settings of Internet Explorer

      • Mad-Installer.exe (PID: 3036)
      • Madium.exe (PID: 5224)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • MicrosoftEdgeUpdate.exe (PID: 8852)
      • Mad-Installer.exe (PID: 8724)
      • msedgewebview2.exe (PID: 880)
      • Mad-Installer.exe (PID: 4960)
      • msedgewebview2.exe (PID: 8124)

    • Create files in a temporary directory

      • Mad-Installer.exe (PID: 3036)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6728)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 8124)

    • Reads the computer name

      • Mad-Installer.exe (PID: 3036)
      • Madium.exe (PID: 5224)
      • identity_helper.exe (PID: 8268)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • MicrosoftEdgeUpdate.exe (PID: 8560)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8296)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8400)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 8380)
      • MicrosoftEdgeUpdate.exe (PID: 7992)
      • MicrosoftEdge_X64_147.0.3912.86.exe (PID: 144)
      • MicrosoftEdgeUpdate.exe (PID: 8732)
      • MicrosoftEdgeUpdate.exe (PID: 8852)
      • setup.exe (PID: 4172)
      • MicrosoftEdgeUpdate.exe (PID: 7268)
      • MicrosoftEdgeUpdateCore.exe (PID: 7892)
      • Mad-Installer.exe (PID: 8724)
      • MicrosoftEdgeUpdate.exe (PID: 7432)
      • msedgewebview2.exe (PID: 880)
      • Madium.exe (PID: 7792)
      • msedgewebview2.exe (PID: 8588)
      • msedgewebview2.exe (PID: 8052)
      • Mad-Installer.exe (PID: 4960)
      • Madium.exe (PID: 8792)
      • msedgewebview2.exe (PID: 8124)
      • msedgewebview2.exe (PID: 6504)
      • msedgewebview2.exe (PID: 3120)

    • Reads the machine GUID from the registry

      • Mad-Installer.exe (PID: 3036)
      • MicrosoftEdgeUpdate.exe (PID: 8852)
      • Mad-Installer.exe (PID: 8724)
      • msedgewebview2.exe (PID: 880)
      • Mad-Installer.exe (PID: 4960)
      • msedgewebview2.exe (PID: 8124)

    • Creates files or folders in the user directory

      • Mad-Installer.exe (PID: 3036)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • MicrosoftEdgeUpdate.exe (PID: 8852)
      • MicrosoftEdge_X64_147.0.3912.86.exe (PID: 144)
      • setup.exe (PID: 4172)
      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 7688)
      • msedgewebview2.exe (PID: 8588)
      • msedgewebview2.exe (PID: 8124)
      • msedgewebview2.exe (PID: 6504)

    • Process checks computer location settings

      • Mad-Installer.exe (PID: 3036)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • setup.exe (PID: 4172)
      • Mad-Installer.exe (PID: 8724)
      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 7936)
      • Mad-Installer.exe (PID: 4960)
      • msedgewebview2.exe (PID: 8124)
      • msedgewebview2.exe (PID: 7404)

    • Application launched itself

      • msedge.exe (PID: 1140)
      • msedge.exe (PID: 6804)
      • msedge.exe (PID: 1116)

    • Manual execution by a user

      • msedge.exe (PID: 1116)
      • MicrosoftEdgeUpdateCore.exe (PID: 7892)
      • Mad-Installer.exe (PID: 7424)
      • Mad-Installer.exe (PID: 8724)
      • Mad-Installer.exe (PID: 4960)
      • Mad-Installer.exe (PID: 8924)

    • Reads Environment values

      • identity_helper.exe (PID: 8268)
      • MicrosoftEdgeUpdate.exe (PID: 7992)
      • MicrosoftEdgeUpdate.exe (PID: 7432)
      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 8124)

    • Application based on Rust

      • Madium.exe (PID: 5224)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 1116)
      • msedge.exe (PID: 6556)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 1116)

    • There is functionality for taking screenshot (YARA)

      • Madium.exe (PID: 5224)

    • The sample compiled with english language support

      • msedge.exe (PID: 6556)
      • msedge.exe (PID: 1116)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6728)
      • MicrosoftEdgeUpdate.exe (PID: 8596)
      • MicrosoftEdge_X64_147.0.3912.86.exe (PID: 144)
      • setup.exe (PID: 4172)

    • Launching a file from a Registry key

      • MicrosoftEdgeUpdate.exe (PID: 8596)

    • Creates a software uninstall entry

      • setup.exe (PID: 4172)

    • Reads CPU info

      • msedgewebview2.exe (PID: 880)
      • msedgewebview2.exe (PID: 8124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:04:02 18:44:17+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.5
CodeSize: 217600
InitializedDataSize: 109056
UninitializedDataSize: -
EntryPoint: 0xeb14a8
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
89
Malicious processes
15
Suspicious processes
17

Behavior graph

Click at the process to see the details
start mad-installer.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs madium.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedge_x64_147.0.3912.86.exe setup.exe msedge.exe no specs msedge.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs Shell Security Editor no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mad-installer.exe no specs mad-installer.exe conhost.exe no specs cmd.exe no specs madium.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs mad-installer.exe no specs mad-installer.exe conhost.exe no specs cmd.exe no specs madium.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedge.exe no specs mad-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
144"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{D50CA7A2-6A6F-40A7-9BFA-9D2925021721}\MicrosoftEdge_X64_147.0.3912.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{D50CA7A2-6A6F-40A7-9BFA-9D2925021721}\MicrosoftEdge_X64_147.0.3912.86.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
147.0.3912.86
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{d50ca7a2-6a6f-40a7-9bfa-9d2925021721}\microsoftedge_x64_147.0.3912.86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
880"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\147.0.3912.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Madium.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\admin\AppData\Local\com.madium.app\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=7792.1140.11304814313253151945C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\147.0.3912.86\msedgewebview2.exe
Madium.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
147.0.3912.86
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\147.0.3912.86\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\147.0.3912.86\msedge_elf.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\version.dll
1116"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --disable-quic --flag-switches-end --do-not-de-elevate --single-argument https://developer.microsoft.com/en-us/microsoft-edge/webview2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://developer.microsoft.com/en-us/microsoft-edge/webview2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeMadium.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1500"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=8072,i,15628912697718676592,3653384832639385121,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2164C:\WINDOWS\system32\cmd.exe /c taskkill /F /IM Madium.exe /IM Loader.exe >nul 2>&1C:\Windows\System32\cmd.exeMad-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2524"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=3968,i,15628912697718676592,3653384832639385121,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2532"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5088,i,15628912697718676592,3653384832639385121,262144 --variations-seed-version --mojo-platform-channel-handle=8160 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMad-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3036"C:\Users\admin\AppData\Local\Temp\Mad-Installer.exe" C:\Users\admin\AppData\Local\Temp\Mad-Installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mad-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
217
Suspicious files
206
Text files
477
Unknown types
23

Dropped files

PID
Process
Filename
Type
3036Mad-Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7E7D146147E46C8361E336CACF0A16E6binary
MD5:E39FF105D3C7416AFFA713410D1E108F
SHA256:82DB78346613D43CABA1F2627AC685D80CE9970FEF1802BAD5D1BE66EDF47DF0
3036Mad-Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18159EBD3277736D0444419407768451_2FD781D15115165DD3192E4E42E088C7binary
MD5:CB2E7DF3A09A666EE7C2A5AEF258248F
SHA256:291F855CDED5CB0C19575C00FDDED891C786B8E04DA2C5571B0D78EEEB613A38
3036Mad-Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18159EBD3277736D0444419407768451_2FD781D15115165DD3192E4E42E088C7binary
MD5:C600C7F601FAD15C8550305678ED69D2
SHA256:EEFE5B29295D7498EE8E887097C24182CBAA50F0F6AB2029F21D7EC9426FB3E7
3036Mad-Installer.exeC:\Users\admin\AppData\Roaming\Madium\Bin\Loader.exeexecutable
MD5:692B9D29DD62BBB438D5D5134A52D6E9
SHA256:A80D3492512D09BA3D16CB9EE8A04635BC5E528FDFA10029E600A207A6617513
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationstext
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
1116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFe3c78.TMP
MD5:
SHA256:
1116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe3c78.TMP
MD5:
SHA256:
1116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe3c78.TMP
MD5:
SHA256:
1116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe3c78.TMP
MD5:
SHA256:
1116msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
214
TCP/UDP connections
127
DNS requests
109
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3036
Mad-Installer.exe
GET
302
140.82.121.4:443
https://github.com/olemadbusiness-blip/madium-public/releases/download/madium/Madium.exe
US
whitelisted
3036
Mad-Installer.exe
GET
302
140.82.121.4:443
https://github.com/olemadbusiness-blip/madium-public/releases/download/madium/Loader.exe
US
whitelisted
3036
Mad-Installer.exe
GET
302
140.82.121.4:443
https://github.com/olemadbusiness-blip/madium-public/releases/download/madium/Madium-Module.dll
US
whitelisted
3036
Mad-Installer.exe
GET
200
104.18.21.213:80
http://r12.c.lencr.org/91.crl
US
binary
198 Kb
whitelisted
3036
Mad-Installer.exe
GET
200
185.199.108.133:443
https://raw.githubusercontent.com/olemadbusiness-blip/madium-public/refs/heads/main/version.txt
US
text
6 b
whitelisted
3036
Mad-Installer.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEBqer%2Bxt6OGbXBkxQbaNkN0%3D
US
binary
978 b
whitelisted
3036
Mad-Installer.exe
GET
200
185.199.108.133:443
https://raw.githubusercontent.com/blazevise-pixel/testing/refs/heads/main/skbidid
US
text
7 b
whitelisted
3036
Mad-Installer.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3DhJWomGbOJFU%2Fpy58BaOB6aMCwQUF5moBMFv5C1wqAoQPQPT6Rq4JmMCEB3CicHq2vsE6dHPU9XXIlM%3D
US
binary
282 b
whitelisted
3036
Mad-Installer.exe
GET
200
185.199.111.133:443
https://release-assets.githubusercontent.com/github-production-release-asset/1196313220/534ec426-854a-4d05-9a97-8e8700a199b6?sp=r&sv=2018-11-09&sr=b&spr=https&se=2026-04-30T17%3A13%3A11Z&rscd=attachment%3B+filename%3DMadium.exe&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2026-04-30T16%3A13%3A05Z&ske=2026-04-30T17%3A13%3A11Z&sks=b&skv=2018-11-09&sig=lYAe83ODQXkdFFjIDb37ssHRNqwGsFWhKvF2%2Fq18W6o%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc3NzU2ODEwOSwibmJmIjoxNzc3NTY2MzA5LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.y96vpwFLuLCrPbVrEiKlgUGYCJJmXwDMlrS2pGRmwuQ&response-content-disposition=attachment%3B%20filename%3DMadium.exe&response-content-type=application%2Foctet-stream
US
executable
5.00 Mb
whitelisted
6556
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:P9BGRuqOxK-dnm5mvXQ_SelucFxEvM4U5bzuNGNVYSM&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
99 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5484
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3036
Mad-Installer.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
3036
Mad-Installer.exe
104.18.21.213:80
r12.c.lencr.org
CLOUDFLARENET
US
whitelisted
3036
Mad-Installer.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
3036
Mad-Installer.exe
104.18.38.233:80
ocsp.usertrust.com
CLOUDFLARENET
US
whitelisted
3036
Mad-Installer.exe
172.64.149.23:80
ocsp.usertrust.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.13.113
  • 142.251.13.138
  • 142.251.13.102
  • 142.251.13.101
  • 142.251.13.100
  • 142.251.13.139
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted
r12.c.lencr.org
  • 104.18.21.213
  • 104.18.20.213
whitelisted
github.com
  • 140.82.121.4
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
release-assets.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.164.120
  • 2.16.164.49
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2232
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access release user assets on GitHub
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
6556
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
Process
Message
Madium.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Madium.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\com.madium.app directory exists )
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\com.madium.app\EBWebView directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Mad-Installer.exe